Cybercriminal abuse of hacked email accounts remains one of the greatest threats to…
In collaboration with researchers from the universities of UC Berkeley and UC San Diego, Barracuda security researchers have discovered a new way of taking over mail accounts: lateral phishing. In lateral phishing attacks, cybercriminals misuse compromised accounts to send phishing emails to a range of recipients, from company contacts to business partners in other companies. The study found that one in seven companies had experienced lateral phishing attacks in the past seven months.
Of the companies affected by lateral phishing, the researchers found several compromised accounts in 60 percent. Some had dozens of compromised accounts that launched lateral phishing attacks on additional employee accounts and users in other companies. In total, the researchers identified 154 hijacked accounts that collectively sent hundreds of lateral phishing emails to more than 100,000 unique recipients.
Lateral Phishing: Long-Range Attacks
One of the most noticeable aspects of this new form of attack is the reach of potential victims. While around 40 percent of the target persons were employees of the same company, the remaining 60,000 recipients were private email addresses, for example, from the contact book of the hacked accounts and business email addresses from partner organizations.
Because these attacks target such a wide range of victims of company employees’ address book contacts and external organizations, they increase reputational damage for the originally hacked company. There are three steps companies can take to protect themselves from lateral phishing attacks:
Training On Security Measures
Optimizing security training and educating employees about lateral phishing will help contain this threat. However, unlike traditional phishing attacks, which often use a fake email address, lateral phishing attacks are sent from a legitimate but compromised account.
This eliminates the need to instruct users to check the sender properties or email headers to identify a fake sender. Instead, users should carefully check the URL of links in any email they receive by hovering over them with the cursor before clicking on them. You must control the actual destination and not just the URL text that appears in the email.
Use Advanced Detection Technologies
Lateral phishing is a challenging development in the field of email-based attacks. Because these malicious emails originate from a legitimate account, they are difficult to detect, even for a trained and knowledgeable user. Therefore, companies should invest in advanced detection techniques and services that use artificial intelligence and machine learning to identify phishing emails automatically.
Introduce Two-Factor Authentication
Finally, one of the most important measures to minimize the risk of lateral phishing is to use strong two-factor authentication (2FA), for example, using a 2FA application or a hardware-based token, if available. Non-hardware-based 2FA solutions, while still vulnerable to phishing, can help limit an attacker’s access to compromised accounts.
Social engineering and sophisticated cybercriminal tactics remain one of the greatest threats to corporate security. However, the risk of lateral phishing attacks can be significantly reduced by the security measures mentioned above.
In lateral phishing attacks, cybercriminals misuse compromised accounts to send phishing emails to a range of recipients, from company contacts to business partners in other companies. However, unlike traditional phishing attacks, which often use a fake email address, lateral phishing attacks are sent from a legitimate but compromised account. This eliminates the need to instruct users to check the sender properties or email headers to identify a fake sender.
